Hello, summary of set access rule with zope 2.5.0 1.) for a folder testfolder I have set "Set Access Rule" to python script accessHB to limit access 2.) as Chris McDonough has shown (thanks !) accessHB is working like:
From chrism@zope.com Thu Mar 21 19:21 MET 2002 Subject: Re: [Zope] set accessrule Date: Thu, 21 Mar 2002 13:26:28 -0500
Hi,
I wouldn't bother to try to pass in REQUEST (the caller for access rules does not pass any arguments in to the script). Instead, get the REQUEST from context ala context.REQUEST. I think the test tab populates REQUEST for you via magic that doesn't happen when an access rule is called.
Your script becomes:
----------------------------------------- ## Script (Python) "accessruleHB" ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters= ##title=
if context.REQUEST.SESSION.get('MySessionId') == None: context.REQUEST.RESPONSE.redirect('/rootfolder') -----------------------------------------
But there is a security problem with "Set Access Rule": Any user even the unauthorized can get access to the folder (which is restricted by set accessrule) if he adds _SUPPRESS_ACCESSRULE to the url: http: ... testfolder/_SUPPRESS_ACCESSRULE gives access to restricted folder testfolder. This may be a bug or has been done to get access in case of emergency, but it makes set accessrule (more or less) useless. What can I do to prevent Zope to give access by adding _SUPPRESS_ACCESSRULE ? Do I have to modify the programmes which implement set access rule ? I even don't know where these programmes are located. With kind regards, Juergen Berger
There is a simple answer to this question, but I'm not sure you're going to like it. ;-) Don't solely use access rules for security. Instead, use the Zope security framework. Protect the folder with a permission. ----- Original Message ----- From: <jbr@FIZ-Karlsruhe.DE> To: <zope@zope.org> Sent: Thursday, March 21, 2002 6:38 PM Subject: Re: [Zope] set accessrule
Hello,
summary of set access rule with zope 2.5.0
1.) for a folder testfolder I have set "Set Access Rule" to python script accessHB to limit access
2.) as Chris McDonough has shown (thanks !) accessHB is working like:
From chrism@zope.com Thu Mar 21 19:21 MET 2002 Subject: Re: [Zope] set accessrule Date: Thu, 21 Mar 2002 13:26:28 -0500
Hi,
I wouldn't bother to try to pass in REQUEST (the caller for access rules does not pass any arguments in to the script). Instead, get the REQUEST from context ala context.REQUEST. I think the test tab populates REQUEST for you via magic that doesn't happen when an access rule is called.
Your script becomes:
----------------------------------------- ## Script (Python) "accessruleHB" ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters= ##title=
if context.REQUEST.SESSION.get('MySessionId') == None: context.REQUEST.RESPONSE.redirect('/rootfolder') -----------------------------------------
But there is a security problem with "Set Access Rule":
Any user even the unauthorized can get access to the folder (which is restricted by set accessrule) if he adds _SUPPRESS_ACCESSRULE to the url:
http: ... testfolder/_SUPPRESS_ACCESSRULE
gives access to restricted folder testfolder.
This may be a bug or has been done to get access in case of emergency, but it makes set accessrule (more or less) useless.
What can I do to prevent Zope to give access by adding _SUPPRESS_ACCESSRULE ?
Do I have to modify the programmes which implement set access rule ? I even don't know where these programmes are located.
With kind regards, Juergen Berger
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (2)
-
Chris McDonough -
jbr@FIZ-Karlsruhe.DE